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Abstract 

If we combine two secure cryptographic systems, is the resulting system still secure? Answer- 
ing this question is highly non-trivial and has recently sparked a considerable research effort, 
in particular in the area of classical cryptography. A central insight was that the answer to 
the question is yes, but only within a well specified composability framework and for carefully 
chosen security definitions. 

In this article, we review several aspects of composability in the context of quantum cryp- 
tography. The first part is devoted to key distribution. We discuss the security criteria that 
a quantum key distribution protocol must fulfill to allow its safe use within a larger security 
application (e.g., for secure message transmission); and we demonstrate — by an explicit exam- 
ple — what can go wrong if conventional (non-composable) security definitions are used. Finally, 
to illustrate the practical use of composability, we show how to generate a continuous key stream 
by sequentially composing rounds of a quantum key distribution protocol. 

In a second part, we take a more general point of view, which is necessary for the study of 
cryptographic situations involving, for example, mutually distrustful parties. We explain the 
universal composability framework and state the composition theorem which guarantees that 
secure protocols can securely be composed to larger applications. A focus is set on the secure 
composition of quantum protocols into unconditionally secure classical protocols. However, the 
resulting security definition is so strict that some tasks become impossible without additional 
security assumptions. Quantum bit commitment is impossible in the universal composability 
framework even with mere computational security. Similar problems arise in the quantum 
bounded storage model and we observe a trade-off between the universal composability and the 
use of the weakest possible security assumptions. 

1 Introduction 

Provable security, even for complex security applications, is desirable. However, giving one mono- 
lithic security proof for a larger cryptosystem is error prone, and a modular design is usually advan- 
tageous. But this comes with a major difficulty, namely that security definitions are not generally 
closed under composition. Therefore, an application may be insecure even if the individual compo- 
nents it consists of are secure. During the past few years, finding solutions to this problem has been 
a main focus of research in cryptography. This research effort has resulted in the development of 
frameworks in which security definitions are universally composable. 

We review several aspects of composability in the context of quantum cryptography and structure 
our exposition into two parts. Section [2] considers the security and composability of Quantum Key 
Distribution (QKD), which is the most prominent application of quantum cryptography. In a 
second part, starting with Section |31 we consider the problem of composability for general security 
applications. 

The reason for this organization of the paper is that for the usual treatment of QKD, one 
assumes a fixed adversary structure, i.e., Alice and Bob are always honest (in particular, they trust 
each other), while only a third party with access to the communication channels is malicious. This 
avoids many of the problems that arise in the more general considerations outlined in Sections [3] 
through [SI where arbitrary parties may be corrupted. 
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2 Quantum Key Distribution (QKD) 



2.1 QKD in a Nutshell 

Quantum key distribution (QKD) is the art of distributing a secret key to two distant parties, Alice 
and Bob, connected by an insecure quantum channel. Technically, a secret key is simply a random 
bitstring for which there is a certain guarantee that its value is unknown to an adversary. Eve. Such 
a key may be used for a variety of cryptographic tasks. The most prominent among them is certainly 
the secure transmission of secret messages over an insecure channel. Here, the key typically serves 
as a one-time-pad for message encryption. 

In the past two decades, numerous QKD schemes have been proposed. Although they differ in 
many aspects (such as their realizability with current technology) , they still very much resemble the 
original protocols put forward by Bennett and Brassard [S] (based on ideas by Wiesner [JS]) and by 
Ekert [TB]. We will not attempt here to give a description of these protocols. In fact, for the purpose 
of this article, it is sufficient to take a rather abstract point of view, where the internal workings of 
the protocols are unimportant. (The reader interested in the concrete protocols is referred to the 
original articles [5l[16] as well as the recent review articles [38] and references therein.) 

The security of QKD basically relies on an intrinsic property of quantum mechanics, namely 
that it is generally impossible to copy the state of a system without disturbing the orig inalQ For 
cryptography, this means that any attempt of an attacker to "steal" appropriately encoded informa- 
tion can in principle be detected. This also motivates the basic structure of QKD protocols: first, 
Alice and Bob send random signals over the quantum channel and then, in a second step, perform 
tests to check for disturbances in the signals, which may be a sign of an attack. Depending on this 
test, the protocol typically has one of two different outcomes. Either the disturbances are found to 
be too large, in which case the protocol aborts with the declaration that no key can be generated. 
Otherwise, if there are no (or only small) disturbances, Alice and Bob use the randomness in the 
distributed signals to generate a keyH 

Although QKD is often said to be unconditionally secure, there are still a few assumptions needed 
to prove security of the generated keys. The first (usually implicit in the literature) is that Alice 
and Bob are honest, meaning that they both follow their respective part of the protocol^ Second, 
it is assumed that Alice and Bob can exchange classical messages authentically, i.e., it is impossible 
for an adversary to alter the classical messages exchanged between Alice and Bob. In practice, this 
is usually achieved by invoking an authentication scheme (see, e.g., [46]) which, however, requires 
Alice and Bob to share a short initial key. Because of this latter assumption, QKD is sometimes 
called key growing rather than key distribution. 

After this brief introduction, we are now ready to have a closer look at the notion of security 
used in the context of QKD. We introduce an explicit definition (Section 12. 2|) and then show its 
composability fSection 12. 3p . As an example, we discuss the problem of generating a continuous 
key stream by sequentially composing many rounds of a QKD protocol (Section 12. 4p . We then 
conclude the part on QKD with an example that pinpoints the problems arising when employing 
a non-composable security definition, which incidentally has been widely used in the literature 
(Section !^ . 

2.2 Security Criteria 

To define security, we first need to have a clearer picture of what a QKD protocol is supposed 
to do. We start with a list of the properties we expect an ideal protocol to have and then, in a 
second step, define security of real protocols by their indistinguishability from the ideal case. In 
accordance with the terminology used in the context of multi-party computation, we call these 
properties secrecy, correctness, and robustness (see also [22j). We denote by Sa and Sb the final 
outputs of the protocol on Alice and Bob's side, respectively. Following the discussion above, the 

^More precisely, it is impossible to build a physical device that takes as input an unknown quantum state and 
outputs two copies of it. This impossibihty is also known as non-cloning theorem. For QKD, it is important to have 
a quantitative version of this statement, sometimes called information- disturbance trade-off. 

■^More generally, a protocol may generate keys whose length depends on an estimate of the maximum amount of 
information that an adversary may have gained by an eavesdropping attack. 

•^Dropping this assumption leads to the additional problem of generating randomness by mutually mistrustful 
parties, which is known as coin flipping [7]. 
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protocol may either generate keys, in which case Sa and Sb are two identical random bitstrings of 
a certain fixed length £, or it may abort, in which case we set Sa and Sb =-L11 Furthermore, 
we denote by E the entire (quantum) system controlled by an adversary. In particular, E contains 
all the information that the adversary acquires during the run of the protocol. 

We consider here the strongest type of security, namely security against general attacks. This 
means that an adversary may arbitrarily tamper with the signals exchanged between Alice and 
Bob over the quantum channel^ In addition, she may eavesdrop (but not alter) the classical 
communication. We also introduce the notion of a passive adversary, who does not disturb the 
quantum communication. Formally, this simply means that the behavior of the quantum channel 
is described by a fixed noise model. For QKD based on qubit-systems, for instance, the standard is 
to consider channels that introduce random bit- and phase-flips (with a given probability). 



Perfect Security. We now say that a QKD scheme is perfectly secure if the following holds for 
any attack. 

Correctness: The outputs of the protocol on Alice and Bob's side are identical (i.e., Sa — Sb)- 

Secrecy: If the protocol produces a key Sa (i-C, if Sa /-L) then Sa is uniformly distributed and 
independent of the state of the system E held by the adversaryl^ 

Robustness: If the adversary is passive then a key is generated (i.e., Sa 7^-L)1Z| 

It is easy to see that none of these criteria can be dropped without making the task trivial. In 
fact, without the correctness requirement, a protocol may just produce uncorrelated randomness on 
Alice and Bob's side. Similarly, without the robustness requirement, a protocol may always output 
Sa — Sb 



Approximate Security. Unfortunately, it is (provably) impossible to design a QKD protocol 
that is perfectly secure according to the above definition. One thus typically considers a relaxation 
where the requirement is that the behavior of the scheme is similar (but not necessarily equal) 
to an idealized scheme which is perfectly secure. This can be made precise using the notion of 
indistinguishability. 

More specifically, one considers a hypothetical device, called distinguisher, which interacts with 
either the real protocol, in the following denoted 'P'^'^^^^ or an ideal protocol, 7'"^*''^^ and then outputs 
a guess bit B. The distinguisher may have access to all regular inputs and outputs of the protocol (in 
our case, we only have outputs, namely Sa and Sb) as well as to the system E normally controlled 
by the adversary. We say that 'P'"^^^ and "P'^i^^i are e -indistinguishable for e > if, for any such 
distinguisher, 

Pr[B = - Pr[S = llpid'^^i] <e . (1) 

Here Pr[B = and Pt[B = l|7?idcai] denote the probabilities that the distinguisher's output 

B equals 1 when interacting with and p'^oai^ respectively. 

The notion of e-indistinguishability naturally leads to the following definition of e-security. 

Definition 1. A QKD protocol 'P''°^' is £-secure if it is e -indistinguishable from a (hypothetical) 
protocol 'P^i^^i which is perfectly secure, i.e., 7^"^<=^i satisfies the correctness, the secrecy, and the 
robustness criteria above. 

* Alternatively, the length £ of the generated key may be determined during the run of the protocol, with ^ = if 
the protocol aborts (see, e.g., [3]). For practical applications, however, it is usually more convenient to work with a 
fixed key length. 

^One sometimes restricts the security analysis to more restricted types of attacks. An example are collective 
attacks [6], where it is assumed that the adversary acts on each of the signals sent through the channel independently 
and identically. This is useful because, for most protocols, security against collective attacks implies security against 
general attacks |33II34I . 

^Because of the correctness property, it is sufficient to require secrecy for either Sa or Sb- 
^Note that this property is always relative to a given noise model of the quantum channel. 
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Intuitively, the parameter e can be understood as the maximum failure probability of the proto- 
col P''^^', i.e., the maximum probability that p''^'*' deviates from the behavior of the ideal protocol 
For practical considerations, is often useful to quantify the correctness, secrecy, and robust- 
ness of a protocol separately. The following definition is an obvious generalization of the above. 

Definition 2. A QKD protocol is e-correct, £-secret, or e-robust if it is e -indistinguishable from a 
perfectly correct, secure, or robust scheme, respectively. 

Remark 3. One can show that, if a protocol is Sc-correct, Eg-secret, and Er-robust then it is e-secure, 
for e = ec + es + £r- 

The requirements on the different parameters are generally quite diverse. Typically, a relatively 
large value Sr for the robustness (e.g., Sr = 0.1) can be tolerated, because the protocol may just 
be repeated in case it does not generate a key. In contrast, the parameter for the secrecy can 
be interpreted as the (maximum) probability by which an adversary may get secret information 
without being detected, which one typically wants to keep small (e.g.. Eg = 10~^°). 

It is easy to see that £-correctness is equivalent to the requirement that the outputs Sa and Sb 
produced by the protocol on Alice and Bob's side differ only with small probability, 

Pi-ISa 7^SB]<e. (2) 

Similarly, for e-robustness, the requirement is that 

Pt[Sa =±] < s (3) 

holds whenever the adversary is passive. The situation is a bit more subtle (and more interesting) 
for the secrecy criterion, which can be made more concrete as follows. 

Let S := {0, 1}^ be the key space, i.e., the output Sa takes values in the set 5U{_L}. Furthermore, 
for any fixed value s G 5 U {_L} oi Sa, let the state of the system E be denoted by The joint 
state of Sa and E can then be represented as a cq-stat^l 

PSaE = Ps\s){s\^Pe 
se5u{±} 

where Ps is the probability that Sa = s and where {|s)}seSu{±} is a family of orthonormal vectors. 
It is easy to see that, for any attack, the state resulting from the run of a perfectly secure scheme 
has the form 

^perfect ^ _ J2 ^\S){S\ ®p'b+P^\ I ® P'k , (4) 

where p± G [0, 1] and where p'^ and p'^ are density operators. With these definitions, we arrive at 
a reformulation of e-secrecy in terms of the trace distance [351 12] 

Lemma 4. A QKD protocol is e -secret if and only if, for any attack, the cq-state ps^E describing 
the joint state of the protocol output Sa and the system E held by the adversary satisfies 

f 1 1 perfect 11^ /r \ 

^WpsaE - P^SaE 111 <e (5) 

for some state /O^"'^^'^* of the form Q . 

In security proofs, correctness and secrecy are usually established by separate arguments. While 
the correctness parameter Sc is essentially determined by the quality of the error correction procedure 
used to reconcile the raw keys, the secrecy rests upon various other elements of the protocol. In 
the simplest case. Eg is a function of the accuracy of the estimation procedure, which measures the 
disturbances of the transmitted signals, as well as of the parameters of the privacy amplification 
step, which is used to transform the (partially secret) raw key into a final secret key satisfying ^ . 



*This intuition can be made precise in a purely classical context |27| . 

^The state of a bipartite system is called classical-quantum (cq) if the first subsystem is purely classical (in the 
sense that its states are perfectly distinguishable.) 

^''Lemma|4]is an immediate consequence of the well known one-to-one relation between the indistinguishability of 
two quantum states and their trace distance. 
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Figure 1: Indistinguishability. The combination of the original distinguishcr V with A'^°'^^ gives 
a new distinguishcr V for 7''°''' and 7?'doai^ 

2.3 Composing QKD with Other Cryptographic Primitives 

Since a secret random string is of httle interest by itself, QKD is almost never used as a stand- 
alone application. Instead, one typically is interested in higher cryptographic tasks such as secure 
message transmission. QKD then just serves as a mechanism to provide the key material needed by 
the application. In addition, QKD often is built on top of other cryptographic primitives such as 
authentication schemes, whose task is to make sure the adversary cannot alter the classical messages 
sent over the insecure channel. Hence, composability of the underlying security definitions is vital 
in the context of QKD. 

What Does Composability Mean? To get a more precise understanding of the notion of com- 
posability in the context of QKD, we consider a situation where the key produced by a QKD protocol 
7-"'°^' is later used in an application A^'^'^^, e.g., an encryption scheme. Assume that the protocol p'^'^^^ 
is £i-secure, and let the application ^''"^^ be e2-secure, i.e., £2-indistinguishable from an idealized 
application The claim then is that the composite system, denoted A^'^^^ o "p'oai^ where the 

apphcation A'^"^^ is fed with the key produced by 'P''°^', is e-secure, for e — Si + 62- 

The claim becomes even simpler in the special case where A'^°^^ is based on onc-time-pad encryp- 
tion. When being fed with a perfectly secret key, one-time-pad encryption is indistinguishable from 
a perfect encryption procedure, which simply produces a ciphertext that is statistically independent 
of the message. We thus have £2 = 0. Hence, according to the above claim, when one-time-pad 
encryption is combined with an ei-secure QKD protocol 'P'^^'^^^ the resulting scheme is £i-secure. 
That is, it produces ciphertexts which are £i-indistinguishable from uniform randomness. 

Why Is Our Definition Composable? Roughly speaking, the security parameters £1 and £2 
can be understood as the maximum failure probabilities of "P'^^' and ^"'^^ respectively (see the 
paragraph after Definition [IJ . Hence, according to the union bound, if one combines 'P'^'^' and 
^rcai^ the total failure probability cannot be larger than £ = £1 -I- £2. This already gives an intuitive 
understanding why the combined scheme o 'P'^'^^^ is £-secure, as claimed above. 

We will now give a slightly more rigorous argument for this claim. Assume by contradiction that 
the composite system A'^'^^^ o p'^'^^^ is not £-indistinguishable from ^"^"^^i o -pidcai^ -^^^ there exists a 
distinguishcr V whose output B satisfies 

Pr[B = o P'-<=^i] - Pr[B = o ^''^'=^1] > e ^ + £3 (6) 

(cf. (HI)). Assume now that we use the same distinguishcr V to distinguish A'^°^^ o p'^ai fj-om 
^reai ^ .pideai^ where thc latter denotes the composite scheme consisting of the real application 
fed with a key produced by a perfect QKD scheme. Because A'^'^^^ is identical in both cases, we 
can alternatively treat as part of a (more complex) distinguishcr 2?' which now interacts 

with either "P'^^' or p^^^^' (see Fig. [T|). Because, by assumption, P'^°^^ is £i-secure and, hence, 
£1 -indistinguishable from p'^cai^ gj-^^ 

Py[B = ll^''^^^ o P'-'^^i] - Py[B = o P''i'=^i] < si . (7) 
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Figure 2: Generation of a continuous key stream by sequential composition of rounds of 

a QKD protocol. The scheme starts with an initial key pair 5*" — {Sj^,S%). In each round i, the 
QKD protocol Vi generates a fresh pair — (5^, 5^) of keys of length £ + £i, using £i-i bits of 
existing key material for authentication. £ bits of the fresh key are added to the key stream, whereas 
£i bits are passed to the next round for authentication. 



Similarly, because A'^'^'^^ is e- indistinguishable from we find 

Pt[B = lly^''^^' o - Pr[B = o T'"^"^^] < 82 ■ (8) 

Combining ([7]) and ([5]) contradicts ^ and, hence, concludes our proof of composability. 



2.4 Example Application: Generating a Continuous Key Stream 

As already mentioned, composability of the keys produced by a QKD scheme is crucial because 
these are typically used in further applications. Here, we consider their use for authentication in 
subsequent rounds of a QKD protocol. The method described below can be employed to generate a 
continuous stream of key material. This may be of interest for various practical applications, such 
as the encryption of a continuous stream of data. 



Description of the Scheme. We are looking at the (realistic) situation where the communication 
channels connecting Alice and Bob may be completely insecure, so that not even authenticity is 
guaranteed. Instead, we assume that Alice and Bob hold an initial key pair (S'^,S'^) of length £0 
which is EQ-secure. They then repeat the following for any i G N (see Fig. [5]). A QKD protocol Vi is 
invoked, which uses the first bits of the key pair (-S*^^^, 5*^^) for authentication. The protocol 
generates a new (longer) key pair {S\, Sg) of length £i + £, of which the first £i bits are stored for 
use in the next round, while the last £ bits form part of the output stream. 



Security Analysis. In the following, we are going to analyze the security of the key stream. 
Because of composability, this is conceptually very easy — we simply need to add up the security 
parameters. If the protocol Vi executed in each round i is £i-secure then the security e of the final 
stream is always bounded by 



e < 



i=0 



(9) 



In order to get a reasonable value for e, we need to make sure that the parameters Si are suffi- 
ciently small. However, making £i small generally comes at the cost of increasing the communication 
complexity of the protocol as well as the length £i-i of the initial key used for authentication. As 
a rough estimate of the performance of a typical QKD protocol, we use here a bound of the form 

e, < e-'^tP"'-^'-^) + e-''^'-i+i°g"' (10) 



where rii denotes the number of quantum signals exchanged during the protocol and where 7, p, and 
V are positive constants^ The first term corresponds to the security of the protocol if used with 
an authentic classical channel. Note that the exponent critically depends on the length £i+£ oi the 
key that is generated. The second term is due to the imperfectness of the authentication scheme. 

^^Values of p = 10"'^ and 7 = v = 10~^ may be realistic for textbook protocols such as BB84 with single photons. 
We refer to 1391 [8l for a more detailed numerical analysis of the performance of QKD protocols. 
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To make sure that ^ converges, it is necessary to increase the number rn of exchanged signals 
in each round of the protocol For the purpose of illustration^ we set 

Hi := n + ci and £i :~ £ + cpi/2 

for some constants n G N and c > 0. Inserting this into ([TU)) results in a bound on Si such that the 
sum over i is a geometric series. Hence, by appropriately choosing the constants n, and c, the 
security parameter s of the key stream can be made arbitrarily small. 

2.5 An Explicit Attack Exploiting Non-Composability 

The necessity of composable security definitions has only been realized recently. In fact, most of 
the original security proofs proposed in the literature were relative to a security criterion that is 
not composable. The main purpose of this section is to illustrate what can go wrong if such a 
non-composable security definition is used. 

Measuring Secrecy. As we have seen in Section the correctness and the robustness property 
are rather unproblematic. In particular, both of them can be expressed as the condition that certain 
probabilities are small (cf. ([2]) and This is different for the secrecy property. Intuitively, a key 
Sa is secret if an adversary has only little information about it, in the sense of ([5]). There are, 
however, a variety of alternative information measures, and this is indeed the source of the problem 
we are going to describe now. 

One such information measure is the accessible information, denoted /acc(' ■ ■)■ It is particularly 
suitable to quantify the information a quantum system (in our case the system E held by the 
adversary) gives about a classical value (the key Sa)- The accessible information is defined in terms 
of the Shannon mutual information, /(• : •), 

hcc{SA ■ E) := max /(5a : Z) , 

where the maximum is taken over all random variables Z that can be obtained by measuring the 
quantum system E. 

Recall that, according to Lemma El the key Sa generated by a QKD protocol is e-secret if and 
only if 

\\\ps_^E-Y.^As){s\®p'E\\^<e (11) 

holds for some p'^. (We assume here for simplicity that the protocol always outputs a key, i.e., 
p_L = 0.) Since a measurement cannot increase the trace distance, this immediately gives a bound 
on the distance between the joint distribution PsaZ of the key Sa and the outcome Z of any 
measurement applied to E, and a distribution of the form Ps x P'^ where Ps denotes a uniform 
distribution over the key space, 

\\\Ps.z-Puy^P'z\\i<e . (12) 

For small values of e, Fano's inequality implies that I{S : Z) and, hence, the accessible information 
I!icc{Sa '■ E), is small, toolil In other words, the secrecy criterion (fTTj) is at least as strong as a 
criterion based on the accessible information. 

The converse, however, is not true. To illustrate this, we construct an explicit example quan- 
tum state psaE for which the accessible information is (arbitrarily) small, whereas the key Sa is 
insecure when being used for one-time pad encryption. The state psaE thus necessarily violates the 
(composable) secrecy criterion (TTlT) . From this, we conclude that small accessible information does 
not imply secrecy in the sense of Definition [2] 

^■^The example should be understood as a proof of principle. We have not attempted to optimize parameters. 
^■^More precisely, HIH implies /acc{S/i : E) < 2ne + 4h{e) where n is the key length and h is the binary entropy. 
(Since e is usually chosen exponentially small in n, the same is true for the term 2ne.) 
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Construction of the Example. Our example consists of a uniformly distributed {n + l)-bit 
key Sa = [Si, . . . , Sn+i) and an n-qubit system E. Furthermore, we consider an n-tuple of bits 
R ~ {Ri, . . . , Rn) whose sum modulo 2 equals 

i?l © ■ • • ® i?„ = Sn+l , (13) 

but which are otherwise completely random. Then, for any fixed Sa = s = (si, . . . , s„, Sn+i) and 
R ^ r = (ri, . . . , r„) satisfying p^ . we define the state of E by 

|(/)"''') := In),, ® •••«) |r„)s„ , 

where \ri)si, for any i = 1, . . . ,n, denotes the state of a qubit encoding the classical bit in either 
some specified standard basis {|0), |1)} (if Si = 0) or the corresponding diagonal basis (if Si — 1), 
i.e., 

|0)o = |0) |l)o-|l) 

|o)i = y|(|o) + |i)) |i)i-/|(|o)-|i)) . 

In particular, the density operator p|; describing the state of E conditioned on Sa ^ s (but ran- 
domized over R) is given by 

(ri,...,r„) 
'•l©---®r„=s„+i 

We now move on to the proof of the claims made above. First, we show that the accessible infor- 
mation /acc('S'A : E) is small. This implies that (jl2D holds for some small e (see, e.g.. Lemma 12.6.1 
of [12]). Second, we describe an attack against a scheme where the key Sa is used for one-time-pad 
encryption. The attack allows the adversary to learn one bit of the message with certainty. This, 
in particular, implies that the (composable) secrecy criterion (jlip cannot hold for any non-trivial 
value of £. 

Small Accessible Information. We do not attempt here to give a rigorous proof of the above 
claim but rather describe the intuition for it. For the details of the argument we refer to |23| . 

In order to prove that /acc(*S'yi : E) is small, we need to argue that any outcome Z of a mea- 
surement applied to E has only negligible correlation with Sa- To simplify this task, we split 
Sa = {Si, . . . , Sn+i) into two parts and make use of the chain rule for the mutual information, 

I{Sa : Z) = I{Si ■ ■ ■ S„ ■■ Z) + I{Sn+i : Z\Si ■ ■ ■ S,,) . 

Note that the state of each qubit of E is an encoding of a random bit Ri, where only the basis 
depends on Si. The overall state of E conditioned on (^i, . . . , S'„) is thus fully mixed and, hence, 
independent of the value of (Si, . . . , Sn)- This immediately implies I{Si • • • 5„ : Z) = and it thus 
remains to be shown that I{Sn+i ■ Z\Si ■ ■ ■ Sn) is small. 

For this, let us first assume that the measurement giving Z consists of n independent measure- 
ments applied to the individual qubits of E. Each of them would then result in an estimate for 
the value of a bit Ri, for i = 1,. . . ,n. However, since each bit Ri is encoded in a random basis 
determined by Si, and since the bit Si is unknown at the time of the measurement, the maximum 
probability p of obtaining the correct outcome Ri is bounded away from 1, i.e., p < 1. 

Now, recall that the key bit Sn+i is equal to the sum modulo 2 of the random bits . . .Rn- 
Hence, using the measurement strategy described above, the correct value of Sn+i can only be 
obtained if all the individual measurements are successful. The probability that this happens can 
be shown to be exponentially small n We thus conclude that the correlation between the key bit 
Sn+i and the measurement outcome Z is small. 

^■^More precisely, given Z, the probability of correctly guessing Sn+i is not larger than the probability of guessing 
an independent random bit, except with probability exponentially small in n. 
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This argument can be generalized to arbitrary measurement strategies [23) . It turns out that 
the above individual strategy is essentially optimal, i.e., I{Sn+i ■ Z\Si ■ ■ ■ Sn) is small for any 
measurement. In fact, a quantitative analysiqlj (for a slightly modified example) gives I{Sa, Z) < 
2~^^ and, hence, /acc(5'yi : E) < 2~^V^. 

The Attack. Let us now have a look at what happens if we use the key Sa — {Si, . . . , Sn+i) 
for one-time-pad encryption. By definition, for any message M = (Mi, . . . ,M„4_i), the ciphertext 
C — (Ci, . . . , Cn+i) is given by Ci = Mi® Si. In the following, we assume that the adversary has 
full access to C. 

To understand the relevance of the example, it is important to realize that we can, in general, not 
assume that the message M is uniformly distributed 111 To the contrary, almost any realistic message 
will consist of biased bits or bits that are (partially) known to an adversary. In fact, the history of 
cryptography is full of examples where prior knowledge about the structure of the messages has been 
exploited for attacks. For our specific attack, we consider the extreme case where the adversary 
already knows the first n message bits (Mi,...,Af„) but tries to get information about the bit 
M„_|_i. (For example, the first n bits may contain standardized header information while the actual 
message starts with the {n + l)th bit. 

Given the first n bits of both the message and the ciphertext, the adversary can obviously 
determine the first n key bits 5*1, . . . , S'„ by S'i = Mi © Ci. This by itself would not be problematic 
because, after all, the very nature of a one-time-pad is that it is only used once. However, the 
adversary may now use her knowledge of 5i , . . . , 5„ to extract further information from the quantum 
system E. More precisely, because by construction the bits Si, . . . , Sn determine the basis in which 
the values Ri are encoded in E, the adversary can apply a measurement which produces the outcomes 
Ri, . . . , Rn. From this, she may determine the (n + l)th key bit Sn+i = i?i ® ■ ■ • © i?„ and, in 
particular, the message bit Mn+i — Sn+i © Cn+i with certainty. 

Discussion. Our example shows that the accessible information is an inappropriate measure for 
quantifying secrecy: Even tough the accessible information Ii^cciSA, E) that an adversary has on 
the key Sa is small, the key Sa cannot safely be used for tasks such as one-time-pad encryption. 

The example also answers a question raised by Ben-Or et al. in [3^. They have shown that a 
QKD protocol which generates an n-bit key Sa is £-securc whenever 

hcciSA : E) < 2-("+2)e2 . 

An immediate implication of our argument above is that this result is essentially tight. In other 
words, in order to get (composable) security from a bound on /acc('S'A : E), this bound must be 
exponentially small in the key size. Unfortunately, however, this criterion is not met by most known 
security proofs that refer to the accessible information (see [33] for references). 

In order to prove security of a given QKD scheme, it is thus more advisable to directly derive a 
bound on the trace distance in (jllD (rather than on the accessible information). Such a bound can 
in principle be obtained by a modification of the well-known argument by Shor and Preskill [40] . 
which however only applies to specific types of protocols. A more generic approach is to use the 
fact that privacy amplification based on suitably chosen hash functions (e.g., two- universal hashing) 
directly produces keys that satisfy (ITT|) . provided the input to the hash function (the raw key) has 
sufficiently high entropy [35] (see [UJ 22] for specific examples of such hash functions) . 

3 Composability of General Secure Applications 

In the following sections, which constitute the second part of the article, we consider security defi- 
nitions for general cryptographic tasks and the problem of composing secure protocols to complex 
security applications. 

^^For technical reasons, the argument of 1231 is based on an extended construction where the bits Ri are encoded 
with respect to three (rather than two) different mutually unbiased bases. 

^^It is possible to design encryption schemes whose security is based on the additional assumption that the dis- 
tribution of the messages is highly random from the adversary's point of view 1361 (this is also known as entropic 
security). Interestingly, these schemes only require a short key. 
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We will describe a quantum model of security [121 SI SS] which gives strong composability guar- 
antees. The composition theorem (see Subsection l5.ip states that a protocol secure in this model can 
be used in an arbitrary application without lowering the overall security. Furthermore an arbitrary 
number of protocols proven secure in this model can be used concurrently and remain secure in the 
model. We will have to neglect many details (already [5] has 128 pages and describes the classical 
case). Our treatment will be on a more intuitive and abstract level. For details please see 

One could argue that this topic need not be discussed in an article about quantum cryptography 
as the most important building blocks of general applications, i.e. protocols like coin flipping, bit 
commitment, or oblivious transfer, can in quantum cryptography not be achieved with unconditional 
security [Tl I28[ l^j . However, there still are enough interesting applications for quantum cryptogra- 
phy. Even if some tasks are impossible to achieve in principle it is possible to achieve them relative 
to security assumptions which are independent of the computational assumptions of classical cryp- 
tography [37l[T3]. Furthermore, many of the assumptions possible, like the adversary being able to 
store only a limited amount of qubits or the adversary being unable to maintain coherency for large 
quantum states are very reasonable. 

In addition a quantum model of security is not only useful to analyze or prove the security of 
quantum protocols, but it can also be used to investigate the security of classical protocols against 
quantum adversaries. It was in the context of composability that the question was answered if 
quantum attacks on classical protocols give more power to the adversary than a mere speed up of 
computations [IS] (see Subsection 15. 2p . 

4 Defining Security 

Key exchange and secure message transmission is one of the most important prerequisites of general 
security applications, however, general applications can require further security properties. As 
examples consider secure authentication, digital signatures, online banking, or remote voting. One 
of the big differences of such applications to key exchange is that the protocols participants are 
mutually mistrusting. Secure function evaluation |49l 117) is a generalization of such cryptographic 
applications: In a secure function evaluation a set of players Pi, . . . , P„ wishes to evaluate a function 
/ on inputs xi, . . . ,Xn they hold respectively such that corrupted players cannot change the outcome 
of the computation (other than choosing a different input) and corrupted players do not learn more 
about the input of honest players than can be derived from their own input and the output of the 
function evaluation. These two properties of secure function evaluation are called correctness and 
privacy. However, it turned out that these two properties alone do not cover what one intuitively 
requires from a secure computation. Additional properties were added, like the independence of 
inputs which demands that it should not be possible for a corrupted player to choose his own input 
dependent on the secret inputs of honest parties. It is easy to see that the property of independence 
of inputs is not logically implied by privacy or correctness if one does not demand that each protocol 
participant knows its input from the start. There are more security properties which are not implied 
by privacy and correctness: robustness requires that no corrupted player may abort the protocol, 
fairness demands that even if an abort cannot be prevented it should not be possible for the 
adversary to learn more about the result of the computation than the honest players, and zero 
knowledge is the property that a real protocol transcript could also have been generated by a single 
machine without knowledge of any secret involved in the protocol. Defining security via a list of 
security properties became known as the list approach, however, researchers got the impression that 
one might never know if the list of security properties is complete. 

4.1 The Simulation Paradigm 

A new security definition was needed. It should be convincing and (as general applications are to 
be considered) independent of the specific goals the attacker might have. The first step towards this 
new definition was the discovery of zero knowledge proofs |18j where the simulation paradigm was 
introduced. 

Instead of considering different security properties the new notion was based on indistinguisha- 
bility. Intuitively speaking, a real protocol is compared to an ideal protocol where a trusted party 
collected the inputs from the protocol participants, computes the output and distributes the output 
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to the participants. If the real protocol and the ideal protocol have an indistinguishable input output 
behavior the real protocol is said to be at least as secure as the ideal protocol. Such a definition of 
security defines security of a real protocol relative to an idealization. The level of security reached 
thus also depends on the specification of the ideal protocol. 

In the case of quantum key distribution we have already seen a security definition which compares 
a real key exchange with an ideal situation, however, unlike to the general case it was possible to 
reduce this security notion to the fulfillment of separate security properties (see Section 12. 2p . 

In the real model the protocol is attacked by a real attacker which may corrupt protocol par- 
ticipants, pools all their data, and lets the corrupted participants deviate from the protocol in an 
arbitrary way. In the ideal protocol there is a an ideal attacker (also called simulator) which must 
be able to provide an output indistinguishable from the output of the real attacker while having 
access only to the inputs and outputs of the corrupted players. As the ideal attacker does not learn 
any real protocol messages or secrets which cannot be derived from the input and output of the 
corrupted players the indistinguishability guarantees that the real protocol does not leak any secrets 
to the real attacker. 

However, there are certain "attacks" which cannot be prevented, e.g. an adversary could replace 
his input by a different value. These inevitable attacks are not considered to violate the security and 
hence we must be able to model these attacks in the ideal protocol as well. These inevitable attacks 
will be carried out by the simulator, too. The ideal attacker may corrupt protocol participants in the 
ideal model, but all the ideal attacker can do is to replace local inputs or to replace local outputs. 
If the real attacker may corrupt more than a minority of the protocol participants then the attacker 
can always abort the computation and we have to give this ability to the ideal adversary as well. 

Stating the exact definition here goes beyond the scope of this article (it can be found in [IT]), 
especially because this notion of security does not yet allow for composition as we will illustrate 
below. 

Note that this definition of security requires the ideal attacker (simulator) to provide his output 
only after termination of the protocol, i.e., in retrospect and thus with the benefit of hindsight. 
This gives a certain "advantage" to the ideal attacker without which a simulation would become 
impossible in most cases. The ability to provide a simulation of a real protocol without any advantage 
over a real attacker would in many cases imply the complete insecurity of the real protocol as the 
real attacker could use the program of the simulator to cheat in the real execution of the protocol. 
What is important in this context is that this advantage of the simulator should not invalidate the 
" idealness" of the ideal model. 

This simulation in retrospect does not violate the "idealness", because the result of an ideal 
protocol is not altered by this (the protocol remains correct) and no secrets of honest participants 
are leaked. However, as we will see in Subsection 14.31 this ability of simulating in retrospect does 
not play well with composition or with protocols which accept inputs not only at the start, but 
also at later times (protocols realizing so called reactive functionalities which are a generalization 
of secure function evaluation). 

4.2 A Motivating Example: Secure Composition as a Problem 

Below we will give two examples illustrating what can happen when protocols are composed. The 
first is a classical example from classical cryptography where a message from one subprotocol of a 
larger application is fed into another subprotocol and the overall application becomes insecure. The 
second example shows that quantum information can be used in different subprotocols such that 
entanglement spans over different subprotocols. 

4.2.1 Malleability — a Classical Example 

A very simple example of this kind is an (simplified) auction protocol. We assume a trusted auc- 
tioneer in possession of a RSA public key {n, e). For an auction the auctioneer accepts bids which 
are encrypted with his public key. After receiving all the bids the auctioneer decrypts the cipher 
texts with his secret key d and publishes the highest bid together with the winner of the auction. 
The RSA encryption keeps eavesdroppers from learning bids of competitors. This seems to imply 
that the bids of the dishonest participants must be chosen independently of the bids of the honest 
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participants. However, astonishingly this is not necessarily the case: Given an honest Alice, a dis- 
honest Bob and let all encryptions be done by "textbook ■ If now Alice bids the amount m 
then she sends c — to^ mod n to the auctioneer. Bob can, after learning this ciphertext c compute 
2^ * c mod n which equals an encryption of 2 * m with the public key (n, e). 

So without knowing the amount of Alice's bid Bob is able to compute a ciphertext which encrypts 
a higher bid and so he will win the auction. This security weakness is called malleability |15j and it 
is not per se a weakness of textbook RSA, but becomes a problem when textbook RSA is used in 
certain larger applications. 

4.2.2 Quantum Superpositions can Span over several Subprotocols 

Quantum bit commitment, i.e. the cryptographic equivalent to a scaled envelope, has been shown 
to be impossible with unconditional security. However, it is tempting to try to circumvent this 
impossibility theorem of Mayers [55] and Lo / Chau [5S] by a clever composition of possible quantum 
protocols. One could try to build up a secure bit commitment from weaker primitives like cheat 
sensitive commitments |19) . However, the impossibility theorem rules this out and therefore shows 
that composing quantum protocols can be counter intuitive. One cannot treat the subprotocols as 
being "atomic" and quantum superpositions being limited to occur only within the subprotocols. It 
is possible to keep all quantum information in the different subprotocols in one large superposition 
and the attack of Mayers and Lo/Chau does exactly that. 

4.3 Types of Protocol Composition 

Two kinds of protocol composition can be distinguished: 

Simple Composition for which an example was given in the previous subsection. In simple 
composition a single instance of a cryptographic primitive is replaced by a real subprotocol. Now 
messages from the surrounding protocol which may depend on secrets of uncorrupted parties can 
be injected into the subprotocol or vice versa: a corrupted player can use messages from within 
a subprotocol outside of this subprotocol. This access to protocol messages which may depend on 
secrets of uncorrupted parties give an enormous strength to the adversary not present in stand alone 
models of security. In the quantum world it is additionally possible to entangle messages used in 
different protocols. 

In the case of Concurrent Composition many instances of the same protocol with correlated 
inputs are run concurrently. Apart from the problems of simple composition, that messages from 
one protocol could be fed into another |30| . an additional problem occurs if one allows more than 
a constant number of protocol instances to be run concurrently. Even though each single instance 
of the protocol is secure in the sense of simulatability it could be that the multiple rounds of the 
different protocol instances are interleaved in a way that messages in one instance of the protocol 
affect messages in other protocols and no polynomial time simulation strategy to obtain a consistent 
simulation for all protocols is known. 

So in a notion of security allowing for secure composition the simulator should work even if the 
protocol is run in an arbitrary application context. This implies that the simulation cannot be done 
in retrospect as the real adversary could feed information into surrounding protocols at any time. 
This requirement of a straight line simulator is very strict, however, according to |24j it is close to 
the minimal requirement if one wants to combine the requirements of stand alone simulatability and 
the notion of security being preserved if run in arbitrary applications. 

5 The Universal Composability Framework 

The basic idea of the Universal Composability (UC) framework and why this notion of security 
allows for secure composition is that the stand alone simulatability definition of security from [17] 
is enriched by an additional machine, an environment machine which interacts with the proto- 
col and the attacker while it can emulate arbitrary surrounding protocols^ Starting from this 

^^This refers to the originally published version of RSA where a ciphertext c for a message m is deterministically 
computed via c = m'^ mod n and decryption is done via m = mod n. 

^*In Section l2.3l this environment was only implicit, because the interaction with other protocols is simpler than in 
the general case: key distribution has no input and guarantees no security if one of the parties is corrupted. 
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classical universal composability framework [3] and independently discovered concept of reactive 
simulatability[3TJ[2] two quantum models of security were defined in [43ll4]. Both models follow the 
same motivation, but differ in details which are not of importance in this overview. 

The model of [33] is described in three steps. First the machines and their network is defined, 
next the behavior of the machines is defined according to their roles in a protocol, then the security 
definition is given based on the indistinguishability of two protocols (the real and the ideal protocol). 
In our overview many details have to be omitted. For details consult [43l |45] . 

Machines and Networks. Quantum machines have internal states which may be quantum and 
the state transition operator is a trace preserving superoperator on the Hilbert space spanned by 
the tensor product of the possible internal states, the possible inputs and the possible outputs of 
the machine. The machines are connected by an asynchronous quantum network, i.e., (quantum) 
messages between machines may be blocked or delayed. Only one machine may be active at any 
time and the scheduling is message driven, i.e., a machine sending away a message is switching to 
a waiting state while the receiving machine is activatej^. 

The scheduling is classical, i.e., machines are not active and inactive in superposition nor are 
messages sent and not sent in superposition. This makes the model usable, but it excludes the 
possibility of certain protocols detecting a traffic analysis [IHl E] . 

Protocol, Adversary, and Environment. Apart from the protocol participants which are spec- 
ified by the protocol there are two more machines taking part in the protocol execution. The adver- 
sary A (or S in the ideal model) is the machine coordinating all corrupted participants analogous 
to the stand-alone model in Section 14.11 The environment machine Z chooses the inputj^. sees 
the output, and may communicate with the adversary at any time. The environment machine can 
emulate arbitrary surrounding protocols and can hence detect vulnerabilities which would result 
from protocol composition. 

The Security Definition. We demand the environment machine to produce a classical output 
and we say that a protocol tt implements an ideal protocol J- with perfect security if for every 
adversary A there exists an ideal adversary S such that for every environment machine Z the 
distribution of the outputs of Z when interacting with A and tt equals the distribution of the 
outputs of Z when interacting with S and A protocol tt realizes T with statistical security if the 
output distribution of Z when interacting with A and tt is statistically indistinguishable^ from the 
output distribution of Z when interacting with J- and S. 

Quantum cryptography usually aims at achieving statistical security where the adversary may 
be limited only by the laws of quantum mechanics. It does, however, make sense to also define 
computational security in the quantum setting, because quantum cryptography can realize tasks 
with computational security which are believed to be impossible classicalljo. 




A machine is said to be quantum polynomial time if it can be invoked only a polynomial number of 
times in the security parameter k and the input output behavior of the machine can be simulated by a 
quantum Turing machine in polynomial time in k. If now all protocol participants, the adversary and 
the environment machine are quantum polynomial machines then we say that a protocol tt realizes 
T with quantum computational security if for all A there exists a S such that for all Z the output 
distribution of Z when interacting with A and tt is indistinguishable in quantum polynomial time 
from the output distribution of Z when interacting with J- and S. I.e. if we denote by out^ .4^2 the 
random variable of the output of Z in the real protocol and by outjr g z the corresponding random 
variable for the ideal model then we demand that for every quantum polynomial machine T) it holds 
that \P{T>{outT^,j\^^z) ^ 1) ^ P{T^{outjr s z) ^ 1)1 is negligible in the security parameter (where a 
function e is called negligible if it is asymptotically smaller than any 1/fc" for every constant n). 

^^One distinguished machine, called master scheduler, will be invoked if this rule does not apply, 
^"in case of a reactive functionality inputs can also depend on previous outputs or on protocol messages. 
^^In the case of key distribution this amounts to approximate security with e negligible, i.e. asymptotically smaller 
than any 1/fc". 

■^^E.g. realizing oblivious transfer from a one way function |50l I21| . 
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5.1 The Composition Theorem 

The UC framework provides a very strict notion of security and for a protocol p securely realizing an 
ideal protocol J- in the UC framework strong composition guarantees can be obtained. We denote 
by TT^ that a protocol tt invokes a protocol as a subprotocol and by ttP that has been replaced by 
a protocol p. We write tt > p to denote that the protocol tt securely realizes p in the UC framework. 
Now the (simple) composition theorem (see [43l|45]) states that if p > then ■n'' securely realizes 
TT-^. Especially if tt-^ securely realizes a functionality Q then also tt'' realizes Q. 

If we denote by p* the concurrent composition of (polynomially many) instances of p and by 
J-* the concurrent composition of (polynomially many) instances of T. Then the (concurrent) 
composition theorem guarantees that if p > it also holds that p* > J-*. 

Combining simple and concurrent composition we obtain the composition theorem where a larger 
application tt may use multiple instances of a subprotocol: Given a protocol p which securely realizes 
a protocol J- in the UC framework, then a protocol tt^ securely realizes tt'^ in the UC framework. 

The UC framework is to a certain extent a minimal requirement for the composition theorem. 
In the classical case it was shown in [21] that a security notion comparable to the UC framework 
naturally arises if one demands stand alone simulatability (see Section 14. ip and the existence of a 
composition theorem. 

5.2 Information Theoretical Security and Quantum Adversaries 

One very interesting result proven in the quantum universal composability framework regards the 
security of classical protocols with respect to a quantum adversary. Given a protocol which is proven 
to be statistically secure against a classic adversary. Does it remain secure under quantum attacks? 
Is the speed-up of quantum computing the only threat to classical protocols or could a quantum 
attacker together with a quantum environment use entangled quantum information to break classical 
protocols? 

In |45j it was shown that whenever a protocol p realizes some ideal protocol T with respect to 
statistical security in the UC framework, then p securely realizes J- in the quantum composability 
setting. 

This result is very useful. Quantum Key Distribution (QKD) is composable (cf. Section 12. 3p 
and from QKD one can obtain composable secure communication [32 . Hence secure channels based 
on quantum cryptography can be used instead of idealized secure channels in many cryptographic 
settings, such as secure multiparty computations in presence of an honest majority [11] . 

5.3 Impossibihty of Bit Commitment 

Additionally to the impossibility of unconditionally secure bit commitment in quantum cryptog- 
raphy 28, 25] a new impossibility result is introduced by the UC framework: Without additional 
security assumptions bit commitment cannot be realized with computational security [10] . This 
result generalizes to many more cryptographic tasks like coin flipping or oblivious transfer and it 
also holds in the quantum case. 

The reason for this impossibility result is that the simulator may no more act in retrospect and 
without additional assumptions every simulation strategy for S could be turned into a cheating 
strategy for the adversary A in the real protocol. 

The additional assumptions used to allow for a computationally secure bit commitment can be a 
trusted authority providing randomness to the protocol participants before the start of the protocol 
(the Common Reference String (CRS)) [10] . a trusted authority setting up a trusted public key 
infrastructure, or the availability of tamper proof hardware. What is worse such set-up assumptions 
are needed in quantum cryptography, too. The impossibility result of |10j directly carries over to 
the quantum case thus in the UC framework quantum cryptographic protocols cannot even achieve 
a computationally secure bit commitment without additional security assumptions. 

So for many cryptographic tasks where the protocol participants are mutually mistrusting one has 
a trade-off between the strength of the composability guarantees and the strength of the assumptions 
needed to achieve these tasks. For certain applications the threats introduced by the additional 
assumptions (e.g. the trusted authorities) weigh heavier than the threats introduced by improper 
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composition of protocols and it seems that for this case there is no security notion which is without 
a compromise. 

As we wih see in the next subsection the above impossibihty resuh also affects the composability 
of protocols in the bounded quantum storage model [13] • To allow for simulatable security in the 
bounded quantum storage model the memory restrictions have to be different in the real and in the 
ideal model, which results in difficulties when applying the composition theorem multiple times. 

5.4 Composability in the Bounded Quantum Memory Model 

Even though many interesting cryptographic tasks are not realizable from scratch these tasks can be 
realized under very reasonable security assumptions, e.g. that the adversary is limited in performing 
large coherent operations [37] or that the adversary has a quantum memory which is bounded in 
size |13| . It was shown that the protocols in the bounded quantum storage model do compose 
sequentially ^7\, however, the protocols as stated do not allow general composition. With an 
example we will illustrate that this seems to be a general problem. To have a useful composition 
theorem we need that the at least as secure as relation (>) is transitive, because otherwise we cannot 
repeatedly apply the composition theorem in the modular design of a cryptographic protocol. To 
be able to conclude from tt > p and p > F that tt securely realizes F we need that the simulator in 
the protocol p should be admitted as a real adversary for p if this protocol is to be compared with 
F. In [50] it is shown that it is possible to achieve oblivious transfer (and hence bit commitment) 
if the real adversary is restricted to have no quantum memory at all. However, the simulator for 
this protocol needs quantum memory for the simulation. So if we restrict the simulator to have no 
quantum memory oblivious transfer is not realizable any more and having different restrictions for 
the real attacker and the simulator results in > not being transitive. A way around this problem is 
to generalize the notion of at least as secure as to one that explicitly involves the memory bound of 
the adversary as a parameter, as proposed in [44] . 

6 Conclusions 

This work reviewed composable security in quantum cryptography. In the first part of the paper 
the focus was on quantum key distribution (QKD), the most prominent application of quantum 
cryptography. We discussed the requirements that a composable security definition must fulfill and 
illustrated the importance of these requirements by an attack which exploits a typical weakness of a 
non-composable (but widely used) definition for secrecy. To show the utility of composable security, 
we constructed a scheme to generate a continuous key stream by sequentially composing rounds of 
a quantum key distribution protocol. 

The second part of the work took a more general point of view, which is necessary for the study 
of security applications involving general tasks as well as mutually distrustful parties. We explained 
the universal composability framework and stated its composition theorem which gives strong com- 
posability guarantees. Of special interest was the secure composition of quantum protocols into 
unconditionally secure classical protocols. This shows that every unconditionally secure protocol 
possible in the secure channel model is also possible with QKD and does not even need a new proof. 

However, there are open problems left. A drawback of the universal composability framework is 
that some tasks become impossible there without adding new security assumptions. E.g., quantum 
bit commitment is impossible in the universal composability framework even with mere compu- 
tational security or with respect to an attacker in the bounded quantum storage model. Hence 
we observe a trade-off between the strong guarantees provided by universal composability and the 
possibility of using fewer security assumptions. Addressing this trade-off remains an open problem. 
A concrete approach may be to consider additional (weak) setup assumptions, e.g., a Common 
Reference String as used in the classical model [10_. 

Another open question regards a weakness inherent to most existing security proofs in quantum 
cryptography. These proofs typically rely on a specific model for the hardware the scheme is built on 
(e.g., the photon sources and detectors used for optical QKD). Obviously, the security claims derived 
for such a model generally only apply to implementations that strictly match the model. This, 
however, is almost never the case in practice. Indeed, explicit attacks exploiting the deviation of the 
implementation from the theoretical model have been demonstrated recently (see, e.g., [SI] [5^). It 
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would thus be desirable to have a (composable) framework that allows a more flexible modeling of 
the underlying hardware devices. 
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